A single phishing email impersonating a South Korean exchange just cost a billion-dollar identity startup everything. Humanity Protocol’s $36 million bridge drain is the latest proof that North Korea doesn’t need zero-days when it has your inbox.
Blockchain security firm Quantstamp has formally linked the 8 June exploit of Humanity Protocol — a palm-scanning decentralised identity project valued at $1.1 billion — to suspected North Korean threat actors. The attack drained 141 million H tokens from the project’s Ethereum bridge, crashed the token by up to 90%, and left the BNB Smart Chain deployment “irreversibly compromised.” The entry point? A director who opened an email.
The $36 Million Email
The attack began on 5 June, three days before the on-chain exploit itself. A Humanity Protocol director received what appeared to be a routine email from Bithumb, one of South Korea’s largest cryptocurrency exchanges and a firm the team had an existing relationship with. The email was fake. It carried malware.
Once the director clicked, the attackers gained full remote-desktop control of the device. They extracted seven private keys stored on the compromised machine — keys that controlled the project’s Ethereum bridge contract. On 8 June, they moved.
Within hours, 141.18 million H tokens were siphoned from the bridge. Simultaneously, the attackers seized control of a ProxyAdmin contract on BNB Smart Chain, minting additional unauthorised tokens. The stolen and newly created supply was dumped across Uniswap and PancakeSwap over roughly eight hours, obliterating liquidity and sending H’s price into freefall.
The Same Playbook, Different Victim
Quantstamp’s forensic investigation identified malware tools and certificate-signing behaviour “consistent with DPRK-linked intrusion techniques.” The malware was signed with a South Korean Hancom digital certificate — a pattern the firm associates with North Korean operations.
This is not a new trick. It is, in fact, the oldest trick in Pyongyang’s handbook. The $1.5 billion Bybit hack in February started with a compromised Safe{Wallet} developer’s machine. The $292 million KelpDAO exploit in April began with phishing. The $285 million Drift Protocol drain in May used the same social engineering approach.
The pattern is almost comically predictable: identify a team member with access, send them something they’d plausibly receive, wait for the click, steal the keys. No sophisticated zero-day required. No novel cryptographic attack. Just a convincing email and a human being doing their job.
What makes the Humanity Protocol case particularly damning is that seven private keys for a bridge contract — controlling tens of millions of dollars — were stored on a single device connected to an email client. Industry best practices demand multi-signature wallets, hardware security modules, and air-gapped signing ceremonies for high-value operations. Humanity Protocol had none of these.
A Billion-Dollar Unicorn With Startup-Grade Security
Humanity Protocol raised $50 million across multiple rounds from blue-chip investors including Pantera Capital, Jump Crypto, and Kingsway Capital, achieving a $1.1 billion valuation by January 2025. The project positioned itself as a privacy-first alternative to Worldcoin, using palm biometrics instead of iris scans to verify users as human.
The irony is almost too neat: a project built on the premise of verifying human identity was undone by the most human vulnerability imaginable — trusting an email.
The Ethereum deployment has since been secured using a separate multisignature wallet that was never compromised. But the BNB Smart Chain version is being permanently abandoned — the attackers still control its ProxyAdmin contract and can mint tokens at will. Humanity Protocol has advised all users to revoke contract approvals until further security assessments are completed.
The H token staged a brief 43% recovery after the initial crash, driven by speculation around recovery measures. But analysts warn the rally is fragile, with a scheduled token unlock later this month threatening fresh selling pressure — and the attacker’s remaining holdings still an open question.
When Will Crypto Learn?
Here is the uncomfortable truth that no one in this industry wants to confront: North Korea has now stolen over $2.1 billion in cryptocurrency in 2026 alone, and virtually every attack has followed the same template. Phishing email. Compromised device. Stolen keys. Bridge drained.
The technology is not the problem. Ethereum’s smart contracts did not fail. The cryptography held. What failed was operational security — the boring, unglamorous work of key management, access controls, and security hygiene that separates a serious financial institution from a startup running on vibes.
Humanity Protocol raised $50 million from some of the most sophisticated crypto investors on the planet. Not one of them, apparently, asked whether bridge keys were stored on an internet-connected laptop. Pantera Capital and Jump Crypto have seen enough exploits to write a textbook on the subject. Yet here we are.
The broader question is whether the crypto industry will ever treat operational security as seriously as it treats smart contract audits. Projects routinely spend hundreds of thousands of dollars on code reviews while leaving administrative keys on hot machines accessible via email. It is the equivalent of installing a £500,000 vault door and leaving the back window open.
Until projects accept that the weakest link is almost always human, North Korea will keep cashing cheques. The Lazarus Group does not need artificial intelligence or quantum computing. It needs one person to open one email.
Humanity Protocol says it is “committed to finding the best way forward.” For the 141 million tokens already dumped on decentralised exchanges, the way forward arrived eight hours too late.
